inline-signing breaks nsdiff.
Petr Špaček
pspacek at isc.org
Mon Oct 2 11:24:02 UTC 2023
On 01. 10. 23 21:10, Björn Persson wrote:
> I find that when both inline-signing and update-policy are in use, I
> can't detect race conditions with the method described in RFC 2136
> section 5.7, which nsdiff uses.
>
> It seems that a serial number specified in a prerequisite of an update
> is compared to the unsigned version of the zone, but the serial number
> retrieved with a SOA or AXFR query is from the signed version. Thus the
> update fails when BIND has renewed some RRSIG records and changed the
> signed serial number.
>
> Checking prerequisites against records that can't be looked up seems
> like a bad idea to me.
>
> In a zone that uses dnssec-policy and relies on the default value of
> inline-signing, the method in RFC 2136 section 5.7 will stop working on
> upgrade to BIND 9.20, as inline-signing will then be switched on by
> default, if I understand correctly. I have set "inline-signing no;"
> explicitly in all my zones to prevent future breakage.
I can see what you mean. Please open an issue in our Gitlab:
https://gitlab.isc.org/isc-projects/bind9/-/issues/new
... and we will discuss what can be done about it.
It would be great if you add step-by-step reproducer for the problem. It
will greatly help us to write automated test for it.
Thank you for your time.
--
Petr Špaček
Internet Systems Consortium
More information about the bind-users
mailing list